OpenPartner
GitHub Get started
Security

Security at OpenPartner.

We hold partner attribution data, transaction records, and the credentials brands use to operate their programs. We treat all of it like the audit-grade records they are — and we publish enough detail here that you can verify our practices, not just take our word.

What we do

Controls in place today.

Encryption in transit

TLS 1.2+ everywhere. The router, API, and portal redirect HTTP to HTTPS. Stripe webhooks are verified using Stripe-issued signing secrets before any side effects.

Encryption at rest

Sensitive credentials (SMTP passwords, Postmark tokens, future third-party secrets) are AES-256-GCM encrypted with a per-deployment key (SECRETS_ENCRYPTION_KEY) before persistence. Plaintext never touches the JSON we return to clients.

Authentication

Magic-link sign-in with single-use tokens. Sessions are HttpOnly cookies bound to user agent class and IP class. API keys are scoped (e.g., partners:write, links:write, commissions:read) and revocable individually.

Access control

Admin and partner roles are first-class. Self-revoke is blocked, last-admin guards prevent lockouts. Every privileged endpoint requires both authentication and explicit role checks.

Audit trail

Raw clicks, identities, conversion events, commissions, and payouts are immutable rows. Corrections are written as new ledger entries — nothing is updated in place. Full history is exportable.

No fund custody

OpenPartner never holds money. Payouts run through Stripe Connect Standard accounts that partners own directly. We facilitate transfers; we don't intermediate them.

Open-source as a security model

You don’t have to trust us. You can audit us.

Closed-source SaaS companies ask you to trust their security claims. We ask you to check ours. The OpenPartner core is on GitHub under MIT — every line of attribution logic, every webhook handler, every secret-encryption pathway. If a security researcher wants to verify how we encrypt SMTP passwords or whether magic-link tokens leak, they can read the code. So can your team.

Self-hosting the core takes this further: your data never leaves your infrastructure. For regulated industries or anyone who can\'t accept third-party data residency, that\'s a guarantee no closed-source competitor can match.

Compliance roadmap

Where we’re going.

OpenPartner is pre-launch. We don’t hold compliance certifications today, but our architecture is designed for them. SOC 2 Type II is on the roadmap; we\'ll publish progress publicly as we go.

  • SOC 2 Type II: in scoping. Targeting evaluation period start within 12 months of GA.
  • GDPR / DPA: a Data Processing Addendum is available on request for hosted customers.
  • Data residency: US currently. EU residency is on the roadmap; self-host is the path today.
Vulnerability disclosure

Reporting a security issue.

If you believe you\'ve found a vulnerability, please email [email protected] with details and a way to reproduce. We commit to:

  • Acknowledging your report within 2 business days.
  • Keeping you in the loop on triage and remediation timelines.
  • Publicly crediting reporters (with your permission) once fixes ship.
  • Not pursuing legal action against good-faith research within the scope of openpartner.dev and the open-source repo.

Please don\'t test against other customers\' data, perform DoS, or exfiltrate data beyond what\'s necessary to demonstrate impact.

Have a security question?

We respond to security inquiries within two business days.

[email protected]